b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n            Stronger Security Controls Needed on \n\n                  Active Directory Systems \n\n\n\n\n\nOIG-10-86                                            May 2010\n\x0c                                                            Office (!{ Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 20528\n\n\n\n\n                                     MAY 1 0 2010\n\n                                         Preface\n\nThe Department of Homeland Security (DHS), Office of Inspector General, was\nestablished by the Homeland Security Act of2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the strengths and weaknesses of DHS\' management of its\nimplementation of Active Directory. It is based on interviews with selected officials and\ncontractor personnel, direct observations, technical security vulnerability assessments,\nand a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all who contributed to the preparatiop of this report.\n\n                                     yt\'~c:f.. ~\n                                     Richard L. Skinner\n                                     Inspector General\n\x0cTable of Contents/Abbreviations \n\nExecutive Summary ................................................................................................................1\n \n\n\nBackground .............................................................................................................................2\n \n\n\nResults of Audit ......................................................................................................................3\n\n\n    Vulnerable Systems Added to DHS Network....................................................................3 \n\n\n    Governance Needed to Verify Security Requirements......................................................5 \n\n\n    Recommendations..............................................................................................................6\n\n\n    Management Comments and OIG Analysis ......................................................................6 \n\n\nAppendixes\n    Appendix A:          Purpose, Scope, and Methodology..............................................................8 \n\n    Appendix B:          Management Comments to the Draft Report ..............................................9 \n\n    Appendix C:          Major Contributors to This Report............................................................14 \n\n    Appendix D:          Report Distribution....................................................................................15 \n\n\nAbbreviations\n     CBP                 Customs and Border Protection\n     DHS                 Department of Homeland Security\n     FEMA                Federal Emergency Management Agency\n     HQ                  Headquarters\n     ICE                 Immigration and Customs Enforcement\n     ISA                 Interconnection Security Agreement\n     OCIO                Office of Chief Information Officer\n     OCS                 Office Communication Server\n     OIG                 Office of Inspector General\n     S&T                 Science and Technology (Directorate)\n     TSA                 Transportation Security Administration\n     USCIS               United States Citizenship and Immigration Services\n     USCG                United States Coast Guard\n     USSS                United States Secret Service\n\x0cOIG\n \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                 The Department of Homeland Security uses Microsoft Windows\n                 Active Directory services to manage users, groups of users,\n                 computer systems, and services on its headquarters network. We\n                 reviewed the security of the Active Directory collection of\n                 resources and services used by components across the department\n                 through trusted connections. These resources and services provide\n                 department-wide access to data that supports department missions\n                 but require measures to ensure their confidentiality, integrity, and\n                 availability. The servers that host these resources must maintain\n                 the level of security mandated by department policy.\n\n                 Systems within the headquarters\xe2\x80\x99 enterprise Active Directory\n                 domain are not fully compliant with the department\xe2\x80\x99s security\n                 guidelines, and no mechanism is in place to ensure their level of\n                 security. These systems were added to the headquarters domain,\n                 from trusted components, before their security configurations were\n                 validated. Allowing systems with existing security vulnerabilities\n                 into the headquarters domain puts department data at risk of\n                 unauthorized access, removal, or destruction.\n\n                 Also, the department does not have a policy to verify the quality of\n                 security configuration on component systems that connect to\n                 headquarters. Interconnection security agreements are present for\n                 each connection between headquarters and components to secure\n                 shared services; however, neither the agreements nor other policy\n                 define specific security controls required for connecting systems.\n                 Stronger management and technical controls are needed on trusted\n                 systems to protect data provided by the department\xe2\x80\x99s enterprise-\n                 wide applications.\n\n                 We are making three recommendations to the Office of Chief\n                 Information Officer. The Office of Chief Information Officer\n                 concurred with all recommendations and has already initiated\n                 actions to implement them. The Office of Chief Information\n                 Officer\xe2\x80\x99s response is summarized and evaluated in the body of this\n                 report and included, in its entirety, as Appendix B.\n\n              Stronger Security Controls Needed on Active Directory Systems\n\n                                         Page 1\n\x0cBackground\n                         Active Directory provides authentication services on a network. It\n                         allows system administrators to assign security policies, deploy\n                         software, and apply critical software updates to the organization\xe2\x80\x99s\n                         Windows servers and workstations. Administrators organize\n                         information technology resources into logical groups of computers\n                         and users, or Active Directory domains, to facilitate security and\n                         systems management.\n\n                         Across the Department of Homeland Security (DHS), Active\n                         Directory has been implemented under a federated model where\n                         policy and guidance are centrally promulgated, but each\n                         component is responsible for its own network operations. Major\n                         components of DHS manage and control their own Active\n                         Directory domains, each with their own users, groups,\n                         workstations, and servers, and remain wholly separate from the\n                         headquarters domain, as shown in Figure 1.1\n\n\n\n\n                Figure 1. DHS\xe2\x80\x99 Headquarters Active Directory Connections\n\n\n\n1\n The following components have Active Directory connections with DHS headquarters: Customs and\nBorder Protection (CBP), Federal Emergency Management Agency (FEMA), Immigration and Customs\nEnforcement (ICE), Office of Inspector General (OIG), Science and Technology (Directorate) (S&T),\nTransportation Security Administration (TSA), United States Citizenship and Immigration Services\n(USCIS), United States Coast Guard (USCG), and United States Secret Service (USSS).\n                     Stronger Security Controls Needed on Active Directory Systems\n\n                                                Page 2\n\x0c                 Some programs, called enterprise applications, require access by\n                 users from more than one component and are configured to cross\n                 regular domain boundaries. Active Directory uses trusts, or logical\n                 connections, to allow users to access information outside their\n                 home domain without needing additional accounts on the external\n                 domain.\n\n                 DHS has established trusts between the headquarters domain and\n                 nine other components\xe2\x80\x99 domains to grant disparate users access to\n                 centralized enterprise-wide applications. Some of the applications\n                 are owned by components, while some are owned by DHS and\n                 provided as a service to component users. For example, DHS\n                 recently deployed Microsoft Office Communications Server (OCS)\n                 on its headquarters domain. Users throughout the department access\n                 OCS for virtual conferencing and collaboration.\n\n                 In February 2007, the Secretary issued a policy on internal\n                 information exchange and sharing intended to foster \xe2\x80\x9cone DHS.\xe2\x80\x9d\n                 The policy envisions an information-sharing environment free of\n                 unnecessary limitations or constraints. The policy also highlights\n                 the need to ensure the integrity of ongoing operations and conduct\n                 practices in a manner consistent with the law, including federal\n                 privacy and information security requirements. DHS\xe2\x80\x99 deployment\n                 of enterprise applications on the headquarters domain shows\n                 progress toward achieving a \xe2\x80\x9cone DHS\xe2\x80\x9d information-sharing\n                 environment.\n\nResults of Audit\n     Vulnerable Systems Added to DHS Network\n          DHS\xe2\x80\x99 implementation of Active Directory provides security controls for its\n          systems and users, but these controls can be circumvented. Specifically,\n          DHS has allowed systems to be connected to its network and added to its\n          domain through its trusts with other components that do not comply with\n          published security policy. Further, trusted systems do not meet the level of\n          security stipulated by service agreements. As a result, systems with\n          vulnerabilities could allow unauthorized access and service disruption to the\n          department\xe2\x80\x99s critical enterprise applications.\n\n          The security of Active Directory services comes from policy, the\n          implementation of guidelines, and the use of written agreements to govern\n          the connections. Failure to enforce policy and the poor quality of security\n          configuration implementation on servers added to DHS\xe2\x80\x99 headquarters\n          domain from other components puts department data at risk.\n\n\n              Stronger Security Controls Needed on Active Directory Systems\n\n                                         Page 3\n\x0cWe reviewed servers in the enterprise application domain to determine the\nlevel of compliance with published Active Directory security\nconfiguration policy. Systems from CBP, ICE, and S&T contained\nsecurity vulnerabilities and do not have configuration controls specifically\nidentified within the DHS Sensitive Systems Policy Directive 4300A and\nHandbook and the DHS Secure Baseline Configuration Guide for\nMicrosoft Windows. These vulnerabilities leave servers and,\nconsequently, the department\xe2\x80\x99s headquarters domain and network at risk.\n\nExamples of vulnerabilities include:\n\n   \xef\xbf\xbd\t   A default privileged account enabled on a Windows server\n   \xef\xbf\xbd\t   Missing security patches\n   \xef\xbf\xbd\t   Local password policy not set to DHS standards\n   \xef\xbf\xbd\t   A protocol in use that is specifically identified in DHS policy as\n        vulnerable.\n\nDHS 4300A outlines security controls that provide automated protection\nagainst unauthorized access or misuse. DHS 4300A facilitates detection\nof security violations and supports security requirements for applications\nand data on DHS systems. The policy directive includes controls\nspecifying the local password policies, privileged account management,\nand the requirement to apply security patches in a timely manner.\nAdditionally, DHS\xe2\x80\x99 secure baseline configuration guides provide system\nadministrators with a set of procedures that will ensure a minimum\nsecurity baseline when installing or configuring a Microsoft Windows\nserver. Configuration settings within the Microsoft Windows server guide\ndirects administrators to refuse protocols that are currently in use on some\ntrusted systems.\n\nWhile Active Directory provides security controls for systems and users,\nthese controls are not inherited by systems added to its enterprise\napplication domain. A basic tenet of information security is to apply\ncontrols to systems that not only exist within a network, but to those that\nconnect to it as well. By accepting trusted systems from other components\nwithout enforcing or confirming security controls, DHS exposes its\nnetwork to vulnerabilities contained on those systems. Risks associated\nwith these vulnerabilities include potential unauthorized access to data or\ninterruption of critical services to both DHS employees and the public.\n\nServices that require enterprise-wide access need at least the same level of\nsecurity controls as those systems contained within components\xe2\x80\x99 domains.\nWe determined, however, that component-owned systems hosted on the\nheadquarters domain are not fully compliant with DHS security policy.\nMoreover, DHS does not ensure that trusted systems meet information\nsecurity requirements before allowing connectivity to its network.\n\n    Stronger Security Controls Needed on Active Directory Systems\n\n                               Page 4\n\x0c     The current implementation of Active Directory does not have controls to\n     secure the systems put in place to support the requirements of enterprise\n     applications. Initially designed to support only headquarters, the current\n     Active Directory structure is not optimized for supporting enterprise-wide\n     applications. To secure the systems that are added, manual procedures\n     and individual validations must be performed. These processes have not\n     proven to be effective in maintaining the level of security required on\n     DHS\xe2\x80\x99 network. The department has recently undertaken efforts to better\n     organize the department\xe2\x80\x99s Active Directory security framework to better\n     support enterprise applications and offer components more efficient access\n     to critical data.\n\nGovernance Needed to Verify Security Requirements\n     DHS has not established policy to enforce the implementation of security\n     controls on component systems. Currently, DHS uses interconnection\n     security agreements (ISA) to establish individual and organizational\n     security responsibilities for the protection and handling of sensitive but\n     unclassified information between DHS\xe2\x80\x99 headquarters domain and the\n     component domain. However, while the ISA documents in place for\n     headquarters and components describe policy, they do not provide specific\n     measures, such as audits or vulnerability assessments, for either party to\n     validate security controls on connected systems and enforce any needed\n     changes. As a result, the ISAs exist only as an agreement to adhere to\n     DHS policy.\n\n     DHS requires that an ISA identify roles and responsibilities for policy and\n     guidance enforcement. An ISA should contain language to identify how\n     security controls are implemented to protect the confidentiality, integrity,\n     and availability of the data and systems being interconnected.\n\nConclusion\n     Regardless of the approach DHS takes in moving forward with its Active\n     Directory restructuring, security policy implementation and enforcement\n     must be considered as an integral part of any project that could expose\n     DHS systems and data to risk. While DHS continues to speed the\n     deployment of state-of-the-art systems and strive for \xe2\x80\x9cone DHS\xe2\x80\x9d as\n     directed by the Secretary, it cannot sacrifice the confidentiality, integrity,\n     or availability of its data and services. DHS\xe2\x80\x99 current Active Directory\n     trusts pose risks and require stronger security controls in place to provide\n     secure and effective enterprise services.\n\n\n\n\n         Stronger Security Controls Needed on Active Directory Systems\n\n                                    Page 5\n\x0cRecommendations\nWe recommend that the Chief Information Officer:\n\nRecommendation #1: Verify that security controls are implemented and\nconfiguration settings are compliant with DHS policy on systems\nconnected or added to DHS\xe2\x80\x99 Active Directory enterprise application\ndomain through trusts.\n\nRecommendation #2: Address the current vulnerabilities on systems\nconnected to Active Directory.\n\nRecommendation #3: Provide governance to ensure appropriate security\nmeasures are taken for all systems.\n\nManagement Comments and OIG Analysis\nThe Office of Chief Information Officer (OCIO) concurred with\nrecommendation 1. The Active Directory Working Group will work with\nthe Security Policy Working Group of the Chief Information Security\nOfficers Council to develop guidance for Active Directory configurations.\n\nWe agree the steps that OCIO is taking, and plans to take, begin to satisfy\nthis recommendation. We consider this recommendation resolved and it\nwill remain open until OCIO provides documentation to support that all\nplanned corrective actions are completed.\n\nThe OCIO did not concur with recommendation 2 as written in the draft\nreport. The OCIO suggested revised recommendation language that it\nbelieved would better address what the report is targeting. We agree with\nOCIO and have revised some of the language as suggested. OCIO\nconcurs with revised recommendation 2, and is working to address the\nvulnerabilities identified.\n\nWe agree the steps that OCIO is taking, and plans to take, begin to satisfy\nthis recommendation. We consider this recommendation resolved and it\nwill remain open until OCIO provides documentation to support that all\nplanned corrective actions are completed.\n\nThe OCIO did not concur with recommendation 3 as written in the draft\nreport. The OCIO suggested revised recommendation language and we\nagreed to this change. OCIO concurs with revised recommendation 3, and\nis taking corrective actions to address the deficiencies identified.\n\nWe agree the steps that OCIO is taking, and plans to take, begin to satisfy\nthis recommendation. We consider this recommendation resolved and it\n    Stronger Security Controls Needed on Active Directory Systems\n\n                               Page 6\n\x0cwill remain open until OCIO provides documentation to support that all\nplanned corrective actions are completed.\n\nOCIO also provided technical comments on the report, and we have\nincorporated these comments where appropriate.\n\n\n\n\n    Stronger Security Controls Needed on Active Directory Systems \n\n\n                               Page 7 \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                   The objective of our review was to determine whether DHS has \n\n                   implemented effective security controls on its Active Directory \n\n                   domain. We conducted this performance audit between September \n\n                   2009 and January 2010 according to generally accepted \n\n                   government auditing standards. Those standards require that we \n\n                   plan and perform the audit to obtain sufficient, appropriate \n\n                   evidence to provide a reasonable basis for our findings and \n\n                   conclusions based on our audit objectives.\n \n\n\n                   We believe that the evidence obtained provides a reasonable basis \n\n                   for our findings and conclusions based on our audit objectives.\n \n\n                   Major OIG contributors to the audit are identified in Appendix C. \n\n\n                   The principal OIG points of contact for the evaluation are \n\n                   Frank Deffer, Assistant Inspector General, Information \n\n                   Technology Audits, at (202) 254-4041 and Chiu-Tong Tsang, \n\n                   Director, Information Security Audit Division, at (202) 254-5472. \n\n\n\n\n\n                Stronger Security Controls Needed on Active Directory Systems \n\n\n                                           Page 8 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n                                                                                 u.s. o.p.ortmc\xe2\x80\xa2\xe2\x80\xa2 or 1I....boN s...rily\n                                                                                 Woollingloo. r>c 20~2a\n\n\n\n\n                                                                     t~ Homeland\n                                                                     9           Security\n\n                                                                                           March 29, 2010\n\n\n\n          MEMORANDUM FOR:               FT\'lInk DeITer\n                                        Assistant Inspector Genera for IT Audits\n\n          FROM:                         Richard A. Spires\n                                        Chicf Infonnatit9 lcer\n\n          SUBJECT:                      OIG Draft Response: "Stronger Security Controls Needcd on Active\n                                        Directory"\n\n\n          The Department of Homeland Security (OHS) Office of the Chief Information Officer (OCID) has\n          initiated efforts to addrcss the findings orthe Office ofthc Inspector General Drall Report, "Stronger\n          security Controls Nccded on Active Directory." The OCIO response to the OIG recommendations is\n          as follows:\n\n          Recommendation 1#1: Verify that security controls are implemented and configuration settings\n          are compliant !vith DHS policy on systems connected or added to VHS\' Active Directory\n          enterprise application domain through trusts.\n\n          oem Ma~h 2010 Response: OCIO concurs.             The Active Directory Working Group will work\n          with the Security Policy Working Group ofthc Chief Infonnation Security Officers Council to\n          provide guidance that will allow clear direction for Active Directory (AD) configurations.\n\n          Recommcndation #2: Ensure that e.listing vulnerabilities on trusted systems are not c:ilrricd\n          fonvard with lIny changes to the headquarters AClive Directory services.\n\n          OCIO March 21)10 Response: OCIO docs nOI concur. The sCl;ond recommendation does not appear\n          to address what the report is targeting. OCIO proposes the following language instead: "Ensure that\n          current vulnerabililies are addressed and that processes, procedures and governance be instituted to\n          ensure that DHS Enterprise Authentication services meet the mission needs."\n\n          Recommendation #3: Revise tbe Intereonneelion Security Agreeooent (ISA) document to\n          provide a mechanism for DUS to validate the secllrity controls and eonfiguration settings on\n          srstems bcfo", tbey are conneeted or added to DHS\' headquarters domain.\n\n          oelo March 2010 Respon~e: aClo doc~ not concur. As part of the existing ISA, pursuanlto DHS\n          4300A policies and as controlled by the Infrastructure Change Control Board (lCCB), all systems\n          that interconnect with AppAuth must have an Authority to Operate (A TO). In addition, each system\n\n\n\n\n                   Stronger Security Controls Needed on Active Directory Systems \n\n\n                                                   Page 9 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n          must have an Information Systems Security Officer who is personally responsible for ensuring that\n          the systems meet the security requil\'cments and providing that assurance on tbe change that connects\n          the application to AppAuth.\n          OCIO suggests that Recommendation #3 be rc:vi!ed to read: "Provide Govemaoce such that\n          appropriate socurity measun:::!I arc taken for all systems."\n\n\n\n\n                   Stronger Security Controls Needed on Active Directory Systems \n\n\n                                                   Page 10 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\nIn addition, OCIO also offers the following comments throughout the February 2010\nreport "Stronger Security Controls Needed on Active Directory Systems":\n\n#   Draft Report Section         DHS Comment\n1   P. 1, first paragraph, \xe2\x80\x9cIn   The document refers to the issues within the Headquarters\' Enterprise\n    particular, we evaluated     Active Directory (AD). This language could be confusing since the\n    the security of the Active   Headquarters has its own AD domain called "DHSnet" that supports the\n    Directory collection of      DHS Headquarters Sensitive-but-Unclassified office automation\n    enterprise resources and     network referred to as "LAN-A," which is separate from the DHS\n    services used by             Enterprise Active Directory also known as "AppAuth." OCIO suggests\n    components across the        using Enterprise Authentication or AppAuth to help keep the context\n    department through           clear.\n    trusted connections.\xe2\x80\x9d\n                                 OIG: No change. For purposes of this report we do not believe it is\n                                 necessary to define the Headquarters\xe2\x80\x99 AD structure in terms of root\n                                 and child domains.\n2   P. 1, second paragraph,      OCIO agrees that AppAuth needs to be improved. In fact on December\n    \xe2\x80\x9cOverall, systems within     16, 2009 the CIO/CISO community endorsed a general upgrade plan for\n    the headquarters\xe2\x80\x99            DHS. This plan is highlighted below:\n    enterprise Active\n    Directory domain are not     Major Milestone for AppAuth V2.0 (NextGen):\n    fully compliant with the     \xe2\x80\xa2 Establish AD Working Group - (completed)\n    department\xe2\x80\x99s security        \xe2\x80\xa2 Determine how U.S. Coast Guard (USCG) and U.S. Secret Service\n    guidelines, and no           (USSS) should integrate into AppAuth\n    mechanism is in place to     \xe2\x80\xa2 Implement Governance Model For AppAuth and Enterprise Federated\n    ensure their level of        AD\n    security.\xe2\x80\x9d                   \xe2\x80\xa2 Create AppAuth Development and Test Environment\n                                 \xe2\x80\xa2 Upgrade all Enterprise facing DC\'s to 2008R2\n                                 \xe2\x80\xa2 Implement two way trust\n                                 \xe2\x80\xa2 Create resource forest for all ofDHS in AppAuth (dynamic entries)\n                                 \xe2\x80\xa2 Create tools to populate and maintain enterprise Forest in AppAuth\n                                 \xe2\x80\xa2 Obtain revised ATO for AppAuth NextGen\n\n                                 This investment by DHS will provide the robust governance called for in\n                                 the OIG draft report and improve integration and data sharing\n                                 throughout the Department. DHS has already made improvements by\n                                 eliminating Windows Server 2000 Domain Controllers in one\n                                 Component\'s domain, which were unsupportable, by (1) obtaining\n                                 improved hardware for AppAuth, (2) providing monitoring of the\n                                 AppAuth communications and infrastructure, and (3) integrating USSS\n                                 into the Trust.\n\n                                 OIG: No change. We agree that the steps OCIO is taking will\n                                 strengthen the controls implemented on AppAuth.\n3   P. 1, third paragraph,       As identified and defined with the DHS 4300A security policy, ISAs are\n    \xe2\x80\x9c\xe2\x80\xa6the interconnection        agreements on how connections between systems will be developed and\n    security agreements          sustained. The ISA is not intended as the enforcement tool; but rather a\n    between headquarters and     method for the stakeholders (the Approving Officials for the connecting\n    components to properly       systems) to identify mutual areas of risk and the appropriate controls to\n    secure their shared          mitigate those risks. Recognizing that the ISA is not the appropriate\n    services, are current for    mechanism to address the items of concern as identified by the OIG, we\n    each connection present,     suggest that DHS use its Governance processes that are being stood up\n\n                      Stronger Security Controls Needed on Active Directory Systems \n\n\n                                                 Page 11 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n    but containing no           under the Information Technology Services Governance Board (ITSGB)\n    provisions to ensure the    to ensure that Authentication Services are correctly implemented and\n    quality of security         sustained. From CISO governance considerations, there are ongoing\n    configuration on the        activities to allow enterprise service offerings to provide clearer\n    systems.\xe2\x80\x9d                   guidance on the specifics of the services provided (specifically on the\n                                NIST 800-53 controls) and the requirements for systems to interconnect\n                                to the enterprise service. It is expected the AppAuth will be a prime\n                                example of this Enterprise Security Service Agreement in lieu of multi\xc2\xad\n                                party ISAs.\n\n                                OIG: We revised the report to note that there is no governance in\n                                place to verify the security of controls on component systems that\n                                connect to headquarters.\n4   P. 2, first paragraph,      Active Directory provides authentication services. It is used by systems\n    \xe2\x80\x9cActive Directory allows    to facilitate patching and software delivery, but does not do these items\n    system administrators to    itself.\n    assign security policies,\n    deploy software, and\n    apply critical software     OIG: We revised the report to clarify that \xe2\x80\x9cActive Directory\n    updates to the              provides authentication services on a network,\xe2\x80\x9d and \xe2\x80\x9cit allows\n    organization\xe2\x80\x99s Windows      system administrators to assign security policies, deploy software,\n    servers and                 and apply critical software updates to the organization\xe2\x80\x99s Windows\n    workstations.\xe2\x80\x9d              servers and workstations.\xe2\x80\x9d\n5   P. 2, second paragraph,     The performance of network operations is separate and distinct from the\n    \xe2\x80\x9cAcross the department,     management of Active Directory. Active Directory Policies and\n    Active Directory has been   Services are managed by the Components in a federated model.\n    implemented under a         Federation is actually Microsoft\'s Best Practice approach to diversified\n    federated model where       organizations\' use of Active Directory. However, DHS would like to\n    policy and guidance are     improve the governance of the group policies and management of these\n    centrally promulgated,      federated active directories.\n    but each component is\n    responsible for its own\n    network operations.\xe2\x80\x9d        OIG: No change.\n6   P. 2, Figure 1, \xe2\x80\x9cDHS\xe2\x80\x99       A blue triangle should be added for LAN-A (DHSnet), which is the\n    Headquarters Active         Headquarters Active Directory domain, and the yellow triangle should\n    Directory Connections\xe2\x80\x9d      read Enterprise Authentication (AppAuth).\n\n                                OIG: No change.\n7   P. 2, Figure 1, \xe2\x80\x9cDHS\xe2\x80\x99       Currently, there are 10 domains that AppAuth integrates. FLETC should\n    Headquarters Active         be included as well. Also please note that TSA includes the Federal Air\n    Directory Connections\xe2\x80\x9d      Marshal Service and Federal Flight Deck Officer program.\n\n                                OIG: No change. In December 2009, OCIO identified 10\n                                components with trusts in place with Headquarters. FLETC was\n                                not included in the 10 identified. Additionally, no change was made\n                                regarding the Federal Air Marshal Service and Federal Flight Deck\n                                Officer since they are programs under TSA.\n8   P. 3, second paragraph,     Office Communication Service (OCS) was deployed in AppAuth. There\n    \xe2\x80\x9c\xe2\x80\xa6DHS recently              was an element of the enterprise OCS deployment that also required the\n    deployed Microsoft Office   Component controlled AD domains to perform concurrent activities to\n    Communications Server       assure proper operation.\n    (OCS) on its headquarters\n    domain. Users throughout\n                     Stronger Security Controls Needed on Active Directory Systems \n\n\n                                                Page 12 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n    the department access\n    OCS for virtual\n    conferencing and\n    collaboration.\xe2\x80\x9d            OIG: No change.\n9   P. 5, first paragraph,     The sentence is not accurate. As part of the existing ISA, pursuant to\n    "Moreover, DHS does not    DHS 4300A policies and as controlled by the ICCB, all systems that\n    ensure that trusted        interconnect with AppAuth must have an ATO, and each system must\n    systems meet information   have an ISSO who is personally responsible that the systems meet the\n    security requirements      security requirements and who provides assurance on the change that\n    before allowing            connects the application to AppAuth.\n    connectivity to its\n    network. "                 OIG: No change. While we acknowledge that DHS policy\n                               designates an ISSO as responsible for system security requirements,\n                               we maintain that there is no governance in place for OCIO to verify\n                               the security of controls on component systems that connect to\n                               headquarters.\n\n\n\n\n                    Stronger Security Controls Needed on Active Directory Systems \n\n\n                                               Page 13 \n\n\x0cAppendix C\nMajor Contributors to This Report\n\n                    Information Security Audit Division\n\n                    Edward Coleman, Director\n                    Chiu-Tong Tsang, Director\n                    Mike Horton, Information Technology Officer\n                    Amanda Strickler, Information Technology Specialist\n                    Frederick Shappee, Referencer\n\n\n\n\n                 Stronger Security Controls Needed on Active Directory Systems \n\n\n                                            Page 14 \n\n\x0c                                 FOR OFFICIAL USE ONLY\n\nAppendix D\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretary\n                      Assistant Secretary for Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      CIO\n                      Deputy CIO\n                      Chief Information Security Officer\n                      Director, Compliance and Oversight\n                      Director, GAO/OIG Liaison Office\n                      CIO Audit Liaison\n                      Chief Information Security Officer Audit Manager\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                 Stronger Security Controls Needed on Active Directory Systems \n\n\n                                            Page 15 \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'